Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Agent Client Hints #202

Closed
yoavweiss opened this issue Sep 5, 2019 · 6 comments
Closed

User Agent Client Hints #202

yoavweiss opened this issue Sep 5, 2019 · 6 comments
Labels
ietf

Comments

@yoavweiss
Copy link

Request for Mozilla Position on an Emerging Web Specification

Other information

The User Agent header that is being sent today on every request provides an excellent source of entropy that can be used to passively fingerprint users. It would be great if browsers could stop sending that information by default to all servers, regardless of whether those servers need it or not.

The User Agent Client Hint proposal is destined to replace the User Agent header, to achieve the following:

  • Send significantly less information by default (only the browser brand and major version).
  • Split the current entropy-laden string into several separate hints/attributes, enabling servers to request some information (e.g. minor version number), without being exposed to other information (e.g. CPU architecture).
  • Enable 1P servers to opt-in to receive that information as HTTP request headers, as well as in a JS API, while giving 3P servers access to that information only if delegated from the 1P.

The above will enable browsers to keep track of servers that collect that information, and take actions to protect users' privacy in cases where that collection is likely abusing it.

Another interesting characteristic of reseting access to the UA string is that it can allow browsers to apply GREASE to the new values, in order to prevent the negative implications of UA sniffing seen on the web today.
@yoavweiss yoavweiss mentioned this issue Sep 5, 2019
Closed
@dbaron
Copy link
Contributor

dbaron commented Oct 21, 2019

So it's worth noting explicitly that a bunch of the comments made in #79 apply here -- but at the same time this is a separate question from the one in #79 that we ought to discuss.

@yoavweiss
Copy link
Author

/cc @miketaylr - who shown interest in the feature when we discussed it at ViewSource

@adamroach adamroach added the ietf label Nov 16, 2019
@miketaylr
Copy link

Hey @yoavweiss - sorry for the delay here. I've been having discussions with Tanvi and @martinthomson about the User Agents Hints proposal and here's some draft language that could maybe result in a position:

Description

The UA Hints proposal aims to solve the following problems associated with the User Agent (UA) string: UA sniffing, UA spoofing, and an entropy-rich target for fingerprinting. The proposal is to build on top of the Client Hints infrastructure and solve these problems over time.

(Draft) Mozilla's Position

Using Client Hints to deliver info derived from the User Agent header for servers who specifically request this information may reduce the number of parties that can use this information for passively fingerprinting users. However, we could reduce this even further by freezing the User Agent string and requiring resources to actively request this information via the proposed NavigatorUAData interface JS APIs. This would also allow us to audit the callers. At this time, freezing the User Agent string without any client hints—seems worth-prototyping. We look forward to learning from other vendors who implement the “GREASE-like UA Strings” proposal and its effects on site compatibility.

Less formal version:

We're very interested in the freezing UA string stuff and NavigatorUAData JS APIs, and think those are worth prototyping. Personally, the GREASE-like stuff is interesting but slightly scary. I'd love to see Chrome turn that on in Canary at some point and see what happens.

But I don't think the positive points change our position on Client HInts (which is currently "non-harmful"). @martinthomson could probably expound on that.

@adamroach
Copy link
Contributor

Thanks, @miketaylr -- after double-checking with Martin, and reading @dbaron's comment above as not varying from the related Client Hints position, I'm closing this and adding your proposed text to the spreadsheet.

@nielsbasjes nielsbasjes mentioned this issue Jan 17, 2020
Closed
@heyhippari heyhippari mentioned this issue Apr 11, 2020
Open
@annevk annevk mentioned this issue Jan 28, 2021
Open
@miketaylr miketaylr mentioned this issue May 27, 2021
Closed
@yoavweiss yoavweiss mentioned this issue Jun 3, 2021
Closed
1 task
martinthomson added a commit to martinthomson/standards-positions that referenced this issue Jul 13, 2021
@martinthomson
Update UA client hints to harmful
0041dd9 
Recent additions to the API increase the information that is made
available to sites with insufficient justification.  Other
characteristics of the proposal have always been uncomfortable, but that
change in particular pushes this proposal into being harmful.  mozilla#552
lists other reasons in support of this conclusion.

Our basic position remains unchanged: freezing the UA string is a good
idea, but somewhat challenging (as others have found), providing a
replacement that is only an alternative spelling is not useful and
verges on harmful, deliberately adding fingerprinting information to the
web is harmful.

For mozilla#202.
Closes mozilla#552.
@martinthomson martinthomson mentioned this issue Jul 13, 2021
Merged
martinthomson added a commit that referenced this issue Jul 13, 2021
@martinthomson
Update UA client hints to harmful (#553)
72ea744 
* Update UA client hints to harmful

Recent additions to the API increase the information that is made
available to sites with insufficient justification.  Other
characteristics of the proposal have always been uncomfortable, but that
change in particular pushes this proposal into being harmful.  #552
lists other reasons in support of this conclusion.

Our basic position remains unchanged: freezing the UA string is a good
idea, but somewhat challenging (as others have found), providing a
replacement that is only an alternative spelling is not useful and
verges on harmful, deliberately adding fingerprinting information to the
web is harmful.

For #202.
Closes #552.

* Editorial tweak
@pointydev pointydev mentioned this issue Jul 13, 2021
Open
@BenjaminAster
Copy link

Chromium has been shipping User Agent Client Hints for over a year now. I understand that you are skeptical about the Sec-UA-CH headers, but an implementation of the NavigatorUAData API in JavaScript would be awesome as it would make browser- and OS-detection a lot simpler. In Gecko and WebKit, you currently have to parse the navigator.userAgent string for this, which is very impractical. (And Chromium DevTools show an issue when using it – telling me to migrate to navigator.userAgentData). I'd be pleased if Mozilla could give an update on this, and eventually implement at least NavigatorUAData in Gecko.

@martinthomson
Copy link
Member

https://bugzilla.mozilla.org/show_bug.cgi?id=1750143 tracks the implementation. I can't say anything about priority, but you can follow along there @BenjaminAster.

@gsnedders gsnedders mentioned this issue Oct 7, 2022
Open
Daasin pushed a commit to Daasin/standards-positions that referenced this issue Jan 5, 2023
@martinthomson @Daasin
Update UA client hints to harmful (mozilla#553)
73b530f 
* Update UA client hints to harmful

Recent additions to the API increase the information that is made
available to sites with insufficient justification.  Other
characteristics of the proposal have always been uncomfortable, but that
change in particular pushes this proposal into being harmful.  mozilla#552
lists other reasons in support of this conclusion.

Our basic position remains unchanged: freezing the UA string is a good
idea, but somewhat challenging (as others have found), providing a
replacement that is only an alternative spelling is not useful and
verges on harmful, deliberately adding fingerprinting information to the
web is harmful.

For mozilla#202.
Closes mozilla#552.

* Editorial tweak
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ietf
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@miketaylr @martinthomson @dbaron @yoavweiss @adamroach @BenjaminAster and others